Asterisk on CentOS 9, TLS problem

ldardini · June 24, 2024, 4:13pm

I found no problems running Asterisk on CentOS 7 servers and using TLS clients on both chan_sip and PJSIP, using tlsv1. When moving Asterisk on CentOS 9, TLS seems not able to work. Regardless of the configuration I may use, the problem is always the same:

[2024-06-24 17:57:42] WARNING[1309216]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <167772351> <error:0A0000BF:SSL routines::no protocols available> len: 0 peer: 213...85:42778

I have tried to use the exact configuration listed in configs/samples/pjsip.conf without any success.

Something like:

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5081
cert_file=/etc/letsencrypt/live/pbx.****.com/cert.pem
priv_key_file=/etc/letsencrypt/live/pbx.****.com/privkey.pem
method=tlsv1
cipher=ADH-AES256-SHA,ADH-AES128-SHA

Even if I try with a browser to connect to port 5081 (PJSIP TLS), the result is always “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”

If I try to check with the command

nmap --script ssl-enum-ciphers -p 5081 pbx.****.com

But no ciphers are detected.

I have also tried without specifying the method and the cipher, but the result is still the same

OpenSSL on CentOS 9 server is version 3.0.7

Where am I wrong?

logikanet · June 24, 2024, 5:54pm

ADH-AES256-SHA,ADH-AES128-SHA are deprecated and insecure, odd are they have been removed on earlier versions of openssl, have you checked what ciphers are available ? try : openssl ciphers -v or openssl ciphers -v | grep TLSv1

ldardini · June 25, 2024, 10:18am

I have checked the list of ciphers returned from the “openssl chiphers -v” command carefully selecting one or more of them, doesn’t fix the problem. Has there anyone a working pjsip.conf with TLS on CentOS 9 and derivative?

jcolp · June 25, 2024, 10:21am

Your problem is likely TLSv1 usage, which is considered insecure and distros have taken to disabling support for it in OpenSSL. They only allow 1.2 and above. I vaguely recall you have to enable legacy support in OpenSSL to allow it to work, but don’t recall the specifics.

ldardini · June 29, 2024, 10:08am

There seems no way. The server is on “legacy” openssl verified with “update-crypto-policies --show”. The server has been rebooted and asterisk recompiled, but the only available method is still TLS 1.3 which has very little support among phones.

cable · June 29, 2024, 5:21pm

What version of Asterisk are you running?

ldardini · June 30, 2024, 6:09pm

I am running Asterisk 20.8.0, but I have tried also on Asterisk 18.23.1. These asterisk versions are working great with CentOS 7, but on CentOS 9 with openssl 3.07, can’t work with anything below TLS 1.3. OpenSSL has been set already in “legacy mode”

# update-crypto-policies --show
LEGACY

cable · June 30, 2024, 7:08pm

Try this:
cipher=DEFAULT,@SECLEVEL=1
method=tlsv1_2

This will dynamically configure openssl to a lower security level for Asterisk (only).

ldardini · July 1, 2024, 2:46pm

Thank you, that fixed PJSIP protocol. Is there a similar recipe for chan_sip (I know it is no more supported)

cable · July 1, 2024, 10:32pm

You would probably have to set openssl to a lower security level (which affects the whole server). That can be done as follows in /etc/ssl/openssl.cnf:

Go down to [openssl_init] and below that line add:

ssl_conf = ssl_sect

Then go to the bottom of the file and add:

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=1

cable · July 2, 2024, 7:34am

Adding more details:
If there is no “[openssl_init]” follow this instead of above:
At the top of the file add:

openssl_conf = default_conf

At the bottom of the file add:

[default_conf]
ssl_conf = ssl_sect

Then add the whole bottom section shown in my post before this one. RH varieties will probably use this format.

ldardini · July 2, 2024, 10:59am

Unfortunately it is not working yet for chan_sip. PJSIP is good.

ldardini · July 3, 2024, 7:28am

Thanks to cable instructions, here is a fast recipe to make TLS1.2 work on CentOS 9 for PJSIP.

reconfigure the crypto policies to “legacy” by running

update-crypto-policies --set LEGACY

reboot the server
verify the crypto policies being updated

update-crypto-policies --show

configure pjsip.conf as following

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5081
cert_file=/etc/letsencrypt/live/pbx.yourdomain.com/cert.pem
priv_key_file=/etc/letsencrypt/live/pbx.yourdomain.com/privkey.pem
method=tlsv1_2
cipher=DEFAULT,@SECLEVEL=1

verify using openssl

openssl s_client -connect pbx.yourdomain.com:5081 -cipher ALL

system · August 2, 2024, 7:29am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pjsip tls trouble Asterisk SIP	3	8043	March 24, 2018
How to force Asterisk 13.19.1 to use TLS1.2 on Centos 6 Asterisk WebRTC	6	2071	December 19, 2020
Transport TLS on Ubuntu 20.04 issue Asterisk SIP	3	1112	March 3, 2022
Configuring Asteriak 1.6.0.1 with TLS support Asterisk Support	3	367	April 2, 2009
PJSIP TLS Failing to initialise Asterisk Support	3	339	June 17, 2022

Asterisk on CentOS 9, TLS problem

Related topics